A high-severity vulnerability has been identified in the Assaf Parag Poll, Survey & Quiz Maker Plugin by Opinion Stage. This flaw, a Local File Inclusion (LFI), could allow an unauthenticated attacker to trick the web server into exposing sensitive configuration files, such as those containing database credentials. Successful exploitation could lead to a significant data breach and further system compromise.

The vulnerability is an Improper Control of Filename for an Include/Require Statement, commonly known as a Local File Inclusion (LFI). An attacker can manipulate an input parameter sent to the web application, causing a PHP include or require function to load an arbitrary file from the local server's filesystem. To exploit this, an attacker would craft a special request containing path traversal sequences (e.g., ../../) or an absolute file path to a sensitive file, such as wp-config.php or /etc/passwd. The contents of the requested file would then be displayed in the server's response, exposing sensitive information to the attacker.

This vulnerability is rated as High severity with a CVSS score of 7.5. Exploitation can have a severe impact on the business by leading to the exposure of highly sensitive information. This includes database credentials, application source code, API keys, and system-level configuration files. An attacker could use this information to gain unauthorized access to the application's database, escalate privileges on the server, or pivot to other systems within the network, resulting in a significant data breach, reputational damage, and potential regulatory fines.

Immediate Action: The primary and most effective remediation is to apply the security updates provided by the vendor immediately across all affected installations. After patching, organizations should monitor for any signs of exploitation attempts by reviewing web server and application access logs for suspicious requests targeting the vulnerable component.

Proactive Monitoring: Security teams should actively monitor web server access logs for requests containing file path traversal characters (../, ..\/) or requests attempting to access common sensitive files (e.g., wp-config.php, /etc/passwd, C:\Windows\win.ini). Implement alerts for HTTP responses that contain content patterns matching sensitive files, which could indicate a successful LFI attack.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules designed to detect and block LFI attack patterns. Additionally, harden the server's PHP configuration by ensuring allow_url_include is disabled and restricting file system access for the web server user with open_basedir. Enforcing strict file permissions on the server can also limit the web server's ability to read critical system files.

Public Exploit Available: false

Given the high-severity CVSS score of 7.5 and the potential for complete application and data compromise, immediate action is required. Organizations must prioritize the deployment of the vendor-supplied security patch to all affected systems. Although this vulnerability is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog, its critical nature warrants urgent attention to prevent potential exploitation and safeguard sensitive organizational data.